Disclosure (Scotland) Bill: data protection impact assessment

5. Questions to identify privacy issues

5.1 Involvement of multiple organisations

There is a possibility that information from police forces, courts, professional registration bodies, local authorities and judicial bodies in EU member states in connection with Directive 2011/93/EU could be involved, depending on applicants’ criminal history. All appropriate measures have been taken to ensure data sharing is secure and compliant with the DPA and GDPR. The Disclosure Bill will not affect this and the processes and procedures as those under the previous regime will remain.

The independent reviewer will be appointed by Scottish Ministers and will be required to comply with all necessary protections for handling sensitive information. As part of their review, the independent reviewer may contact various public bodies in order to obtain additional information regarding the individual and the information that is proposed to be disclosed. All appropriate measures will be taken to ensure data sharing with the various organisations is secure and compliant with the DPA and GDPR. This will follow the same processes and procedures as those under the current system.

Disclosure Scotland will share proposed information with the independent reviewer through the secure Scottish Government IT network. Additional information that the independent reviewer has requested will come in to Disclosure Scotland from various organisations and representations will come from the individual. Any additional information received will be shared with the independent reviewer through the secure Scottish Government IT network. Further information on the role of the independent reviewer is detailed within the Age of Criminal Responsibility (Scotland) Bill PIA.

Information to support an appeal will need to be provided to a Sheriff and to the Scottish Government’s Legal Department (“SGLD”) as part of the appeal process, as is current procedure.

5.2 Anonymity and pseudonymity

The new review processes will lead to new categories of data being processed by the independent reviewer, Police Scotland and Disclosure Scotland. These will include any representations made by the individual as part of the review process, the outcome of any reviews and reasons for decisions.

The independent reviewer will be subject to a privacy policy. All appropriate measures will be taken to ensure data sharing with the independent reviewer is secure and compliant with the DPA and GDPR. Disclosure Scotland’s privacy policy will be updated to reflect the changes made by the Bill.

5.3 Technology

The systems, processes and data will be securely stored and will be accredited and tested to provide an assured level of security around the personal data required to execute the programme and the future service.

Disclosure Scotland has a security policy, technical architecture and security governance to provide compliance for the systems and services. This includes independent testing, assurance and accreditation
by key stakeholders. The IT system being developed has been subject to extensive CHECK technical IT penetration testing by an approved supplier. Vulnerabilities are addressed in a current risk treatment plan.

Further information on digital security can be found in the Disclosure Scotland Transformation Programme DPIA.

5.4 Identification methods

The same identifiers will be used as those under the existing regime. Name and previous names, National Insurance (NI) number, date of birth and address/address history are all collected as part of the official collection and recording of information. There will also be a continuation of existing powers to verify the identity of an individual through fingerprint data in some cases, as a means of preventing fraud. These are all subject to all appropriate safeguards. None of this information could ever be published or released to the general public.

5.5 Sensitive/Special Category personal data

The Bill will not result in the routine processing of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health or data about a person’s sex life or sexual orientation. Some biometric data will be processed in the form of fingerprints. The powers in the Bill to process such data replicate existing powers under the Police Act 1997. The processing of biometric data is necessary for reasons of substantial public interest (fraud prevention) on the basis of specific powers in the Bill. There are measures to safeguard the security of that information. All personal and sensitive data collected will continue to be treated the same as the current regime. This will include specific access controls, security clearances and specific design to meet the standards required by our security accreditor.

5.6 Changes to data handling procedures

There may be changes in processes as the Transformation programme evolves and digital capability increases. There will be no change to the level of data protection applied. Revised processes will be equal to or better than current processes which pass the required levels for DPA and GDPR.

The processes and systems needed for the independent reviewer will be based around existing practice, meeting all privacy and data protection requirements. The independent reviewer will be appointed by Scottish Ministers and will be required to comply with all necessary protections for handling sensitive information.

5.7 Statutory exemptions/protection

If personal information is shared with third parties through data sharing agreements or for legal/statutory requirements, Disclosure Scotland will confirm the third party has the appropriate legal justification. Disclosure Scotland is entitled to share information with the police for the law enforcement purposes within the meaning of section 31 of the DPA.

5.8 Justification

The new processes, and the changes in existing processes, are being made to ensure the disclosure system is rights respecting whilst continuing to safeguard the public. The changes are positive as they will simplify existing processes and will give applicants additional rights.

Disclosure Scotland collects, holds and processes personal information because the processing is necessary for the exercise of our functions as an Executive Agency as outlined in legislation that governs criminal records checks. This is a legitimate condition of processing as outlined under the DPA.

Individuals are made aware on the “declaration” section of the application of their personal data will be used. There is extensive information and guidance on Disclosure Scotland’s website. Information on the process for independent review will be provided to the applicant. Information on the appeals process will be provided to the applicant, as it already the case.

Below is a screenshot from the online application for a basic disclosure:

5.9 Other risks

There are currently numerous safeguards to protect all data privacy within Disclosure Scotland. The Transformation Programme delivering increased digital functionality will be implementing this measure as a minimal requirement. If a change is required, the new process will have to exceed the current security parameters.

This DPIA has identified that any changes in process are based on current data handling and storage arrangements and that these arrangements do not pose any significant risks to the privacy of that information.

We believe that the systems that are in place for managing the transfer and storage of data comply with legislative demands, and we will review any further legislative changes to ensure that the arrangements comply with them.